Privacy Policy

Looking at our privacy policy?

The protection of your personal data is important for Strapi and we carry out our processing activities in accordance with your rights, as provided for under the European Regulation 2016/679 of April 27th, 2016 (the “GDPR”) and the French law n°78-17 of January 6th, 1978 as last modified by the French law n°2018-493 of June 20th, 2018 on data protection (together referred to as the “Legal framework”). This is the reason we explain, in details, in this document (our “Privacy policy”), the types of Personal information we collect and what may happen to that Personal information when using our Websites and related applications and resources (collectively, the "Services").

Data Controller and contact

The data controller is: Strapi Solutions SAS, a French company whose registered office is located 128, rue de la Boétie, 75008 France, registered on the commercial and company register of Paris under the number 823 487 855, represented by Mr. Pierre Burgy, its President (“Strapi”, “We” or the “Data controller”).

The Data is processed at the Data Controller's operating offices and in any other places where the parties involved with the processing are located.

In order to exercise your rights, as described under the Privacy Policy, or for any question you might have, you can contact us at the following address:

Strapi SAS
128, rue de la Boétie
75008 France
Email address: privacy@strapi.io

Legal basis of processing

The legal basis of Data processing by Strapi is:

  • performance of the contract between Strapi and the User for the use of the Services when applicable;
  • consent of the User in other cases, for instance as far as the use of cookies for certain purposes and the use of Data for commercial prospection are concerned.

By accessing the Websites and the Services, you consent to the collection and use of your Personal information as explained in this Privacy Policy. This Privacy Policy is incorporated into the Strapi Terms of Service, which can be accessed here. Your use of the Services and any information you provide through the Services is subject to the terms of this Privacy Policy and our Terms of Service.

This Privacy Policy applies to the following websites: https://strapi.io ; https://studio.strapi.io; https://slack.strapi.io (the “Websites”).

The Services are provided through:

The Data may be freely provided by the User or collected automatically when using the Services.

When the legal basis of Data processing is consent, Users can withdraw their consent at any time.

An unsubscribe link will be present in newsletters sent by Strapi to the Users.

Data We collect

Creation of a Strapi account and use of Services

To access our Services, you might have to create a User account. When you create an account, we collect your username, email address and password.

If you communicate on Strapi’s Slack account and use the Slack service, We will also have access to your job title and chat history.

We sometimes ask you for your feedback on our Services and, in such circumstances, you might accept to send us your comments on the service, first name, last name, job title, address and telephone number.

If you are a Premium customer, you also consent to the collect of your address, phone number, location, credit card information for the payment of the Services, your company name and job details.

Other Services available

If you visit the Websites and use other Services available such as:

  • “Register to vote”;
  • “Say hello to the user”;
  • “Contact form”;
You consent to the collect of your login, country, town, avatar, email address, username, company name, pseudonym, telephone number.

Shop online

We sale items online to our community (such as stickers and tee-shirts).

You can purchase these items online on our website page: https://strapi.io/shop.

If you purchase an item, We will collect your contact details, address, phone number, location, credit card information and company name in order to deliver the goods.

Other

Other Data collected may be described in other sections of this Privacy Policy.

You are responsible for any Data of third parties obtained, published or shared through the Services and confirm that you have the third party's consent to provide such Data to Strapi.

Purposes of the processing

We process the Data in order to:

  • create a User account;
  • deliver and improve our Services;
  • provide you with any technical support you might need;
  • communicate with you;
  • generate and send invoices;
  • comply with our legal obligations;
  • send you information on the Services We offer;
  • send you information about any change in our business activity;
  • send you information on new Services We might offer;
  • analyze your Data, allowing us to improve our Services and identify Services that might interest you;
  • ask you for feedback on our Services.

Recipients

The Data We collect can be accessible to:

  • certain employees of Strapi working to provide you with the Services: our sales and commercial team, marketing team, accounting team;
  • other Users of the Services for the following Data: username, email, password, job title, chat history;

The third parties receiving such Data are subject to the same obligations than the ones listed under this Privacy Policy.

The User declares to be aware that the Data Controller may be required to reveal Data upon request of public authorities.

Subcontractors

Strapi uses services delivered by Subcontractors (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies).

It always ensures that such Subcontractors provide sufficient guarantee to implement appropriate technical and organizational measures to make sure that the processing of Data complies with the Legal Framework.

The updated list of these Subcontractors may be requested from the Data Controller at any time.

International Transfers

The User has been informed that the Data may be shared with third parties located, or which use servers located, outside of the European Union in countries whose data protection laws differ from those of the European Union.

In these cases, Strapi ensures that the User is informed and that this transfer is performed in compliance with the applicable regulations and guarantees a sufficient level of protection to the privacy and fundamental rights of persons in keeping with the Regulations (in particular via the standard contractual clauses of the European Commission).

You can contact us for any question or request for additional information related to these transfers.

Security measures

The Data Controller processes the Data in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.

We have security measures in place to help protect against the unauthorized access of personally identifiable information under our control. We utilize both online and offline security methods, including firewalls, passwords and restricted physical access to the places where your information is stored to help protect personally identifiable information. Our staff is trained to comply with our security procedures, and our security procedures are regularly reviewed and revised as We deem necessary.

Retention time

The Data is kept for:

  • the time necessary to provide the Services or goods to the User;
  • for a period of 3 years after:
    • the last period of inactivity on the User account;
    • or the last contact made by the User with the Data controller;
  • or any other duration Strapi must comply with, as provided by French law (for example: 10 years for accounting documents).
  • The User's Data may also be used for legal purposes by the Data Controller, for the duration of the dispute, in Court or in the stages leading to possible legal action arising from an improper use of the Services or the related services by the User.

    Collection of information from minors

    The Services are intended for a general audience and are not intended for children under the age of 15. Use of the Services is prohibited for anyone under the age of 15. If you are under 15, you must secure authorization from your parents or legal guardian before using the Services. Although the Services may contain information that may be of interest to children, the Services are not directed at children and We do not knowingly collect or solicit Personal information from children under the age of 15.

    Analytics and Cookies

    The Services contained in this section enable the Data Controller to monitor and analyze web traffic and can be used to keep track of User behavior.

    Google Analytics (Google Inc.)

    Google Analytics is a web analysis service provided by Google Inc. ("Google"). Google uses the Data collected to track and examine the use of the Services, to prepare reports on its activities and share them with other Google services.

    Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

    Personal Data collected: Cookie and Usage data.

    Place of processing: USA

    Displaying content from external platforms

    These services allow you to view content hosted on external platforms directly from the pages of the Services and interact with them.

    If a service of this kind is installed, it may still collect web traffic data for the pages where the service is installed, even when Users do not use it.

    Google Fonts (Google Inc.)

    Google Fonts is a typeface visualization service provided by Google Inc. that allows the Services to incorporate content of this kind on its pages.

    Personal Data collected: Usage data and various types of Data as specified in the privacy policy of the service.

    Place of processing: USA

    Registration and authentication

    By registering or authenticating, Users allow the Services to identify them and give them access to dedicated Services.

    Depending on what is described below, third parties may provide registration and authentication services.

    In this case, the Services will be able to access some Data, stored by these third-party services, for registration or identification purposes.

    Content Commenting

    Content commenting services allow Users to make and publish their comments on the contents of the Services.

    Depending on the settings chosen by the Data controller, Users may also leave anonymous comments. If there is an email address among the Data provided by the User, it may be used to send notifications of comments on the same content. Users are responsible for the content of their own comments.

    If a content commenting service provided by third parties is installed, it may still collect web traffic data for the pages where the comment service is installed, even when Users do not use the content commenting service.

    Disqus

    Disqus is a content commenting service provided by Big Heads Labs Inc.

    Personal Data collected: Cookie, Usage data and various types of Data as specified in the privacy policy of the service.

    Place of processing: USA

    Mailchimp

    Mailchimp is an email address management and message sending service provided by Mailchimp Inc.

    Personal Data collected: Email address.

    Place of processing: USA

    System Logs and Maintenance

    For operation and maintenance purposes, the Services and any third-party services may collect files that record interaction with the Services (System Logs) or use for this purpose other Data (such as IP addresses).

    Cookies

    Any use of Cookies - or of other tracking tools - by the Services or by the owners of third party services used by the Services, unless stated otherwise, serves to identify Users and remember their preferences, for the sole purpose of providing the service required by the User.

    Strapi uses cookies and other services for analysing traffic on the Websites, in order to facilitate the User’s navigation on the Websites and optimise the technical management.

    A cookie is a small information file saved by a website on the User’s computer. The cookie can be re-used during a future visit to the same website but cannot be read by any other website than the one that created it. Most cookies are only valid for the duration of a session or visit.

    No cookie can contain information that allows the User to be contacted by telephone, email or post.

    Most browsers are set to accept cookies automatically; however it is possible for the User to configure their browser to be informed each time a cookie is created or to prevent them for being saved.

    If You do not want the Websites to store cookies on your computer, You have the choice to block the cookies (in other words configure your browser to refuse all cookies) and/or delete the cookies that have already been placed on your computer:

    • under Internet Explorer: You can block cookies by using the parameters to change the processing of cookies by clicking on “Tools”, “Internet Options”, “Confidentiality” and then on the button “Advanced”;
    • on Firefox: You can block all cookies by clicking on “Tools”, “Options”, “Privacy”, selecting “Use custom settings for history” from the drop-down menu and de-selecting “Accept third-party cookies”;
    • on Chrome: You can block app cookies by clicking on “Personalise and control”, then “Parameters”, “Display advanced parameters” and “Content parameters” “Cookies and site data” under the heading “Cookies”.
    Bear in mind, however, that when You deactivate some cookies, some functions may no longer be available on the Websites.

    Your rights

    Information

    In addition to the information contained in this Privacy Policy, the Services may provide the User with additional and contextual information concerning particular services or the collection and processing of Data upon request.

    More details concerning the collection or processing of Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.

    The rights of Users

    Users have the right, at any time, to know whether their Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, to refuse their treatment for certain purposes, to limit the processing, to set instructions for preserving, erasing and communicating their Data after their death as well as the right to the portability of their Data.

    Requests should be sent to the Data Controller at the contact information set out above.

    You have the right to lodge a complaint with the responsible monitoring authority (in France, the CNIL) or to obtain remedies from the competent courts if you think that We have not respected your rights.

    Changes to this Privacy Policy

    The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. If a User objects to any of the changes to the Privacy Policy, the User must cease using the Services and can request that the Data Controller removes the Data. Unless stated otherwise, the then-current Privacy Policy applies to all Data the Data Controller has about Users.

    Definitions

    For the purpose of the Privacy Policy:

    “Data” or “Personal information” shall have the same meaning than set forth under article 4 of the GDPR and shall mean “any information relating to an identified or identifiable natural person […] ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

    User

    The individual using the Services (paid subscription or free subscription) or visiting the Websites, which must coincide with or be authorized by the data subject, to whom the Data refers.

    Data Controller

    The natural person, legal person, public administration or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of the Services. The Data Controller, unless otherwise specified, is the Owner of the Services.

    Latest update

    Latest update: September 5, 2018